Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

re-writing college books - erm.. ahm...

From: rcs at cert.org (Robert C. Seacord)
Date: Sat, 28 Oct 2006 09:43:58 -0400
Crispin,

I think you may have over spoken below:


Seeking perfect correctness as an approach to security is a fool's
errand. Security is designing systems that can tolerate imperfect software.


I could go along with "achieving perfect correctness as an approach to
security is a fool's belief" but I believe the desire to achieve
correctness is a prerequisite for security.

More specifically, I have found that systematic schemes for providing
software security (such as memory protection, canaries, etc.) are
generally ineffective once a coding error (such as a buffer overflow)
allows an attacker to penetrate the peripheral defense of code
correctness.  Given the current state of software security, I don't
think any security "best" practice can abandoned and that
defense-in-depth is a practical necessity.

Also, back on the book topic, I recently heard of an older but
successful book that did nothing but take examples from other books and
show in detail how they were incorrect.  Perhaps such a "supplemental"
text could be developed for commonly used text books.

rCs
Previous By Date Next
Previous By Thread Next

Current thread: